---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: registry-packages-proxy
  namespace: d8-cloud-instance-manager
  {{- include "helm_lib_module_labels" (list . (dict "app" "registry-packages-proxy")) | nindent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: d8:registry-packages-proxy:registry-packages-proxy
  {{- include "helm_lib_module_labels" (list . (dict "app" "registry-packages-proxy")) | nindent 2 }}
rules:
  - apiGroups:
      - "deckhouse.io"
    resources:
      - modulesources
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - authentication.k8s.io
    resources:
      - tokenreviews
    verbs:
      - create
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: d8:registry-packages-proxy:registry-packages-proxy
  {{- include "helm_lib_module_labels" (list . (dict "app" "registry-packages-proxy")) | nindent 2 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: d8:registry-packages-proxy:registry-packages-proxy
subjects:
  - kind: ServiceAccount
    name: registry-packages-proxy
    namespace: d8-cloud-instance-manager
